New Charges Filed Against Alleged Capital One Hacker

The United States has filed additional charges against a former Amazon employee accused of stealing the personal data of more than 100 million Americans and six million Canadians.

superseding indictment filed in June accuses former software engineer Paige A. Thompson of seven new charges relating to the hack of Capital One. Six of the charges relate to computer fraud and abuse and one relates to access device fraud.

Capital One announced in 2019 that “unauthorized access by an outside individual” had compromised millions of customers' personal data. A configuration vulnerability was blamed for the breach, for which Capital One was fined $80m in 2020.

The bank was tipped off about the intrusion by a GitHub user to whom Thompson allegedly revealed details of the theft. 

Thompson was arrested in July 2019, and a month later, a federal grand jury indicted her on one count of wire fraud and one count of computer fraud and abuse connected to the unauthorized intrusion into stored data belonging to more than 30 different companies. 

The defendant, who is also known as "erratic," is accused of creating scanning software that allowed her to identify Amazon customers who had misconfigured their firewalls, making it possible for outside commands to penetrate and access their servers. 

The former software engineer allegedly used this access to steal account credentials and more than 20 terabytes of data, which she stored on a server maintained at her own residence. 

It is further alleged that Thompson carried out cryptojacking, using stolen computer power to “mine” cryptocurrency for her own benefit.

The superseding indictment adds four new technology companies to the list of organizations impacted by Thompson's alleged illegal activity. They are a company that specializes in digital rights management, a company that provides data and threat protection services, a company that provides interaction-management solutions for customer interactions in call centers and other environments, and a company that provides higher education learning technology to educational institutions and other clients. 

Thompson has pleaded not guilty to the charges. She is due to go on trial on March 14, 2022.

What’s Hot on Infosecurity Magazine?